Your Password Manager Was Breached. Here Is Your Actual Risk Level.
Password manager breach notifications produce a predictable cycle: announcement, panic, opinion pieces from people who do not understand the architecture, and a wave of users switching to less secure alternatives out of a misplaced sense of action. I have worked in threat intelligence long enough to find this cycle tedious. Let me give you the actual threat model instead.
What password managers store and how
Reputable password managers use a zero-knowledge architecture. Your passwords are encrypted client-side, before they leave your device, using a key derived from your master password. The service never sees your master password. What is stored on their servers is encrypted ciphertext that is useless without the key — which only you have.
This means that in a breach of the server-side database, what the attacker gets is: your encrypted vault, your email address, some metadata (device types, usage patterns), and potentially your billing information if you are a paid subscriber. They do not get your passwords unless they can crack the encryption on your vault.
What cracking the vault actually requires
Modern password managers derive the vault encryption key using a slow key derivation function — typically PBKDF2 or Argon2 with a high iteration count. This means that brute-forcing the encryption requires testing each candidate master password by running it through thousands or millions of hash operations. Against a strong, unique master password, this is computationally infeasible at current hardware costs.
Against a weak master password — a dictionary word, a common pattern, anything under twelve characters without entropy — it is not infeasible. Attackers with breached vaults will prioritise cracking attempts against accounts where they have reason to believe the master password is weak: accounts with simple email patterns, accounts associated with other breaches where weak passwords were used, high-value targets.
Your actual risk assessment
High risk: Your master password is a word, a name, a date, or under 16 characters without random characters. Change it immediately. Use a passphrase of five or more unrelated words if that is easier to remember than a random string.
Medium risk: Your master password is strong but you have not enabled two-factor authentication on your password manager account. Enable it. This adds an authentication layer that a stolen vault does not circumvent — an attacker needs both the vault and the ability to authenticate as you to get anything useful from a client-side attack vector.
Low risk: Strong master password, 2FA enabled, no reuse of the master password anywhere else. Your exposure in this breach is your email address and metadata. Monitor for phishing attempts using that email address. Otherwise: nothing urgent.
The question is not whether you were breached. The question is whether you know your threat model well enough to assess what that breach actually means for you. Compliance is the floor, not the ceiling. A strong master password and 2FA are the floor.
